The present invention generally concerns testing integrated independent levels of security components hosted on a virtualization platform and particularly in embedded infrastructures.
In most industrial fields, it is usual to have different systems with different applications communicating with each other in order to achieve an assignment. Each application may be considered as a set of functions and each function is a piece of software contributing to execute a part of the task to be accomplished by the application. For example, many different types of equipment in a vehicle or an aircraft need to exchange data with each other through a communication system in order to accomplish the maneuvering of the vehicle or the aircraft.
Due to the current growing efficiency of computing resources, the trend comprises putting several applications or functions on the same computer platform in order to use the full computing power and memory storage capabilities offered by that platform. This enables avoiding wasting unused resources and thus reduces the production costs as well as the overall weight of the system, which is particularly advantageous in embedded infrastructures for an aircraft, a satellite or a vehicle. This architecture has however the disadvantage of facilitating the propagation of errors. Thus, security means are provided to prevent any design or implementation error on one part of the system from impacting other parts of the system. The system needs also to be protected against deliberate malicious attacks coming from within the system.
This difficulty can be solved by existing security architectures such as MILS (Multiple Independent Levels of Security) built upon strict segregation properties for the execution environments and strict communication paths.
In particular, the functions in a computer system are implemented out of a composition of various more or less loosely coupled sub-functions. For designing a MILS computer system, this approach of loosely-coupled components is valuable. Indeed, splitting a complex system into small components allows defining requirements for these components and enforcing their correct and secure implementation locally. For achieving the complex function again, the components are put together on a same hardware platform. Usually a special operating system (for example, a separation kernel), provides isolated runtime environments, called partitions, for the components. The separation kernel realizes a non-interference property between the different components of the platform. For still allowing communication between partitions, the separation kernel also provides specific channels for an inter-partition communication. The communication channels are controlled and the information flow flowing through them is enforced by a system-wide information flow policy. Both the concept of separation and the concept of controlled information flow between the separated components are the major properties of a MILS system.
FIG. 8 schematically illustrates an example of a MILS system 101 comprising MILS components 103a-103e according to the prior art.
MILS components 103a-103f comprise application partitions 103a-103d, an I/O partition 103e and an external communication interface 103f. The different components operate together via the communication channels 107 of the underlying separation kernel to finally fulfill the system's purpose. The different components communicate via predefined communication paths. There are three different types of communication paths that can be distinguished in a MILS system. These paths comprise an external communication interface, an inter-partition communication interface and communication interface via an I/O partition. The communication between a partition and an external communication interface 103f may be realized via a device driver 109.
Currently, a MILS system is first tested during its development and then by observing its output through external interfaces. In other words, testing of a MILS system currently comprises two kinds of tests. A component or application test in which each application hosted by a partition is tested externally in a stand-alone manner, outside of the context of the MILS system. The second test is an integration test in which the correct behavior of the integrated MILS system is tested by observing the overall system's output to a given input.
However, the known methods do not allow a systematic testing approach. In particular, the prior art methods cannot test the components' reaction while they are already deployed in the MILS system.
Moreover, in certain domains such as in aeronautics, the needs are dictated by particularly severe constraints of reliability and security. In particular, there exist specific requirements that do not allow any system configuration changes between a system under evaluation and the finally deployed in-flight system. Thus, any testing means cannot be removed after the system has been certified.
The purpose of the present invention is therefore to propose a method and a system for locally testing components in their integrated context on a partitioned type platform (for example MILS) and particularly adapted to be systematically used in an embedded environment like avionics without having the aforementioned shortcomings.